Friday, April 11, 2014

No, the NSA didn't make us less secure (heartbleed)

According to a Bloomberg story, the NSA has known about the #heartbleed bug from the moment it was written, presumably because they analyze commits to security packages looking for such bugs. Many have opined that this makes us less safe.

It doesn't. The NSA didn't create the hole. They didn't hinder any other researcher from finding it. If the NSA wasn't looking for the bug, the outcome would be the same.

Finding such bugs and keeping them quiet is wholly within the NSA's mission statement. Their job is to spy on foreigners and keep state secrets safe. Generally, state secrets aren't on machines exposed to the Internet, so keeping the bug secret had no impact on that.

Many think the NSA should do a different job than commanded by the President. That's called "treason". That the NSA, CIA, and the military do exactly what they are told is what distinguishes them from other agencies. Former military head Robert Gates pointed that out in his recent memoir: the reason Presidents like Obama love the military and intelligence agencies is that they are the only groups who do what they are told. There are many problems with the NSA, but that they stay on mission isn't one of them.

Maybe we should have a government agency dedicated to critical cyber infrastructure protection, whose job it would be to find and fix such bugs. Maybe we ought to have a government agency that looks at every commit to the OpenSSL source code, notifying the developers of any problems they find. In theory, the DHS already does that, but of course they are hapless with regards to cybersecurity.

There are reasons to be critical of the NSA. They pay for vulnerabilities, raising the market price of bounties responsible companies like Google have to pay. They hire away talent to look for vulnerabilities, leaving fewer talented people outside the NSA. So in that way, they make everyone else less safe. But the same thing happens elsewhere. After the worms of around 2003, Microsoft hired more than half the talented researchers in the industry, either directly or through consultants, which had the effect of making everyone else less secure. Today, Google and Apple employ lots of talented researchers. The distortions that the NSA causes in the market is less than private enterprise.

The reason to hate the NSA is not because they are following their mission, it's because their mission has creeped to include surveilling American citizens. We need to stop making them the bogyman in every story and focus on the real reasons to hate them.

Please, don't use the word "treason" carelessly. Treason is allying with or aiding in a war against the United States. It is NEVER the correct term for any offense lesser than that. The Constitution is explicit on this point.https://en.wikipedia.org/wiki/Article_Three_of_the_United_States_Constitution#Section_3:_TreasonWhat you described was insubordination. In some situations, insubordination is criminal, but defiance of the President in order to uphold the Constitution is legally warranted.

"The distortions that the NSA causes in the market is less than private enterprise."

NSA is taking its money from taxes (eg by force). By definition it has adversarial impact on the (free) market, distorting it. Private companies on the other hand are not causing "distortions" on the market, as they are part of it, respecting the basic but fundamental "use no force" rule.

And NSA made us less secure as:1/ they actively search for security holes, 2/ they don't report them, 3/ they exploit them.

As a consequence we are less safe from the NSA, and from anyone who get to know about the NSA discoveries.